Three AlmaLinux security updates have been released to address potential security vulnerabilities: an update for Ruby (ALSA-2025:23141), which is considered moderate, and two updates for Mozilla Thunderbird and kernel packages, both rated important. The Ruby update fixes Denial of Service issues in the resolv and rexml gems, while the other updates fix various memory safety bugs, use-after-free vulnerabilities, sandbox escapes, and JIT miscompilations in Firefox and the kernel. Users can find more details about these security issues, including their impact, CVSS scores, and acknowledgments, on the corresponding CVE pages listed in the References section of each update.

ALSA-2025:23141: ruby security update (Moderate)
ALSA-2026:0025: thunderbird security update (Important)
ALSA-2025:23279: kernel security update (Important)

ALSA-2025:23141: ruby security update (Moderate)

Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Moderate
Release date: 2026-01-05

Summary:

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.

Security Fix(es):

* resolv: Denial of Service in resolv gem (CVE-2025-24294)
* rexml: REXML denial of service (CVE-2025-58767)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2025-23141.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team

ALSA-2026:0025: thunderbird security update (Important)

Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-01-05

Summary:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* firefox: Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146 (CVE-2025-14333)
* firefox: Use-after-free in the WebRTC: Signaling component (CVE-2025-14321)
* firefox: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2025-14325)
* firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component (CVE-2025-14322)
* firefox: Privilege escalation in the Netmonitor component (CVE-2025-14328)
* firefox: Privilege escalation in the Netmonitor component (CVE-2025-14329)
* firefox: Same-origin policy bypass in the Request Handling component (CVE-2025-14331)
* firefox: Privilege escalation in the DOM: Notifications component (CVE-2025-14323)
* firefox: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2025-14330)
* firefox: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2025-14324)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2026-0025.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team

ALSA-2025:23279: kernel security update (Important)

Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-01-05

Summary:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (CVE-2025-38499)
* kernel: net: tun: Update napi->skb after XDP process (CVE-2025-39984)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Full details, updated packages, references, and other related information: https://errata.almalinux.org/10/ALSA-2025-23279.html

This message is automatically generated, please don’t reply. For further questions, please, contact us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on https://lists.almalinux.org.

Kind regards,
AlmaLinux Team